views:

27

answers:

1

Hi,

I want to know where is most desirable location to put the login page when SSL is required. I can put ~/login.aspx in the root directory and check "require secure chancel(SSL)" in IIS just for file login.aspx. In this article, http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_additionalconsiderations, it suggests putting the login.aspx under a subdirectory eg /secure/login.aspx I wonder whether the location of the login.aspx matters. What is common practice to protect the login and signup pages.

+2  A: 

Put the login.aspx in the root. You have formsauthetication enabled, disallow access to all content and explicitly allow access to the login.aspx and all necessary files (style directory, image directory)

citronas
do I enable SSL for the whole site or just login.aspx andsignup.aspx?
It depends on whether the contents of the entire site need to be encrypted or not
Greg
In this article, http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_additionalconsiderations , It said "In Figure 1, secure pages, including the application's login page, are placed in the Secure folder beneath the application's virtual root directory." I want to know If the login page is under a secure folder which denies the access from the anonymous users, how can they even get to the login page to authenticate themselves?
have a look at the location tag in the web.config. you probably need do add it under <system.web> therein you can explicitly say that some resources are allow/disallowed to access
citronas